SANS Digital Forensics and Incident Response Blog

A common question I am asked or see posted on forums, user groups and social media sites is: "What is the best computer forensic tool?" It is usually posed by someone getting started in the field and is an understandable query for an individual who is unfamiliar with some of the granular technical details of the field and looking for direction on how to get their feet wet. In addition there are considerable marketing efforts by product developers to set their solution apart from the rest claiming to be the best, fastest, most reliable or somehow "court approved." (Chris Pogue recently touched upon the "court-approved" tool fallacy on his blog http://thedigitalstandard.blogspot.com/2010/08/court-approved.html.)

When this question is posed I try impress upon the person asking it that there are no forensic tools. There are only tools that forensic practitioners use in the course of gathering evidence and performing analysis.

I make this distinction because your thinking and approach are dangerousl and fundamentally flawed if they are tool-centric when performing collections, analysis and investigations. Tools simply assist the investigator by expediting a process or helping interpret the data. As investigators we cannot simply trust in a tool's resulting information without validation, verification and comparison to another method or tool's result. Our professional duty is to know how things that assist our job function work at a very technical level. This is not required in many other professions.

The UPS guy doesn't have to know the gritty details about fulcrum points, leverage or weight distribution to use the hand truck to get deliveries from the truck to the customer. He just needs to know how to put the boxes on the hand truck, deliver them and move on to the next delivery. The hand truck tool makes his job easier and he doesn't have to explain how it works. He knows that it is what he needs to get the job done.

We don't have that luxury in this field. We have to justify and potentially explain every aspect about how the tool works in a legal proceeding.

­Digital forensics and computer investigations have a basis in scientific methodology that we need to accept and understand to perform our job and ultimately explain our findings. This requires a level of skepticism and objective thinking that is in direct conflict to having blind trust of the claims made by others, the manufacturer or by a developer as to the authenticity of the results produced.

Also, by simply asking for the "best tool" without adding the context of what you are trying to achieve, you miss the crucial point that forensic methodology is a process. Would you pop into Home Depot and ask the first orange-aproned employee, "What's the best tool to build my house?" You need to have a plan prior to picking up a hammer, screw driver and a wrench.

Instead it is important to be method-centric and frame your investigations. This requires you to use the best tool available — your brain. YOU are the best forensic tool for the job. Work to build confidence in your investigative methodology instead of the claims made by someone else or a marketing pitch about what is "best." It will be you, NOT the tool, called to testify. It is very difficult to put a dongle on the witness stand and get a sworn statement.

"Forensics is a lot more than just imaging a drive."- Joseph Fresch, Guaranty Bank

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue

"Rob Lee is a master of the subject matter. The material is presented in a way that is understandable. Rob is also charismatic enough to make the course enjoyable."- Erik Ketlet, JP Morgan Chase